Ubuntu Security Notice 7096-1 - Andy Boothe discovered that the Networking component of OpenJDK 8 did not properly handle access under certain circumstances. An unauthenticated attacker could possibly use this issue to cause a denial of service. It was discovered that the Hotspot component of OpenJDK 8 did not properly handle vectorization under certain circumstances. An unauthenticated attacker could possibly use this issue to access unauthorized resources and expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-7096-1  
November 11, 2024

openjdk-8 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10  
- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in OpenJDK 8.

Software Description:  
- openjdk-8: Open Source Java implementation

Details:

Andy Boothe discovered that the Networking component of OpenJDK 8 did not  
properly handle access under certain circumstances. An unauthenticated  
attacker could possibly use this issue to cause a denial of service.  
(CVE-2024-21208)

It was discovered that the Hotspot component of OpenJDK 8 did not properly  
handle vectorization under certain circumstances. An unauthenticated  
attacker could possibly use this issue to access unauthorized resources  
and expose sensitive information. (CVE-2024-21210, CVE-2024-21235)

It was discovered that the Serialization component of OpenJDK 8 did not  
properly handle deserialization under certain circumstances. An  
unauthenticated attacker could possibly use this issue to cause a denial  
of service. (CVE-2024-21217)

It was discovered that the Hotspot component of OpenJDK 8 was not properly  
bounding certain UTF-8 strings, which could lead to a buffer overflow. An  
attacker could possibly use this issue to cause a denial of service or  
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS.  
(CVE-2024-21131)

It was discovered that the Hotspot component of OpenJDK 8 could be made to  
run into an infinite loop. If an automated system were tricked into  
processing excessively large symbols, an attacker could possibly use this  
issue to cause a denial of service. This issue was only addressed in Ubuntu  
16.04 LTS. (CVE-2024-21138)

It was discovered that the Hotspot component of OpenJDK 8 did not properly  
perform range check elimination. An attacker could possibly use this issue  
to cause a denial of service, execute arbitrary code or bypass Java  
sandbox restrictions. This issue was only addressed in Ubuntu 16.04 LTS.  
(CVE-2024-21140)

Yakov Shafranovich discovered that the Concurrency component of OpenJDK 8  
incorrectly performed header validation in the Pack200 archive format. An  
attacker could possibly use this issue to cause a denial of service. This  
issue was only addressed in Ubuntu 16.04 LTS. (CVE-2024-21144)

Sergey Bylokhov discovered that OpenJDK 8 did not properly manage memory  
when handling 2D images. An attacker could possibly use this issue to  
obtain sensitive information. This issue was only addressed in Ubuntu  
16.04 LTS. (CVE-2024-21145)

It was discovered that the Hotspot component of OpenJDK 8 incorrectly  
handled memory when performing range check elimination under certain  
circumstances. An attacker could possibly use this issue to cause a  
denial of service, execute arbitrary code or bypass Java sandbox  
restrictions. This issue was only addressed in Ubuntu 16.04 LTS.  
(CVE-2024-21147)

It was discovered that the Hotspot component of OpenJDK 8 incorrectly  
handled certain exceptions with specially crafted long messages. An  
attacker could possibly use this issue to cause a denial of service.  
This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2024-21011)

Vladimir Kondratyev discovered that the Hotspot component of OpenJDK 8  
incorrectly handled address offset calculations in the C1 compiler. An  
attacker could possibly use this issue to cause a denial of service  
or execute arbitrary code. This issue was only addressed in Ubuntu  
16.04 LTS. (CVE-2024-21068)

Yakov Shafranovich discovered that OpenJDK 8 did not properly manage  
memory in the Pack200 archive format. An attacker could possibly use this  
issue to cause a denial of service. This issue was only addressed in Ubuntu  
16.04 LTS. (CVE-2024-21085)

It was discovered that the Hotspot component of OpenJDK 8 incorrectly  
handled array accesses in the C2 compiler. An attacker could possibly use  
this issue to cause a denial of service or execute arbitrary code. This  
issue was only addressed in Ubuntu 16.04 LTS. (CVE-2024-21094)

Yi Yang discovered that the Hotspot component of OpenJDK 8 incorrectly  
handled array accesses in the C1 compiler. An attacker could possibly  
use this issue to cause a denial of service, execute arbitrary code or  
bypass Java sandbox restrictions. This issue was only addressed in Ubuntu  
16.04 LTS. (CVE-2024-20918)

It was discovered that the Hotspot component of OpenJDK 8 did not  
properly verify bytecode in certain situations. An attacker could  
possibly use this issue to bypass Java sandbox restrictions. This  
issue was only addressed in Ubuntu 16.04 LTS. (CVE-2024-20919)

It was discovered that the Hotspot component of OpenJDK 8 had an  
optimization flaw when generating range check loop predicates. An attacker  
could possibly use this issue to cause a denial of service, execute  
arbitrary code or bypass Java sandbox restrictions. This issue was only  
addressed in Ubuntu 16.04 LTS. (CVE-2024-20921)

Valentin Eudeline discovered that OpenJDK 8 incorrectly handled certain  
options in the Nashorn JavaScript subcomponent. An attacker could  
possibly use this issue to execute arbitrary code. This issue was only  
addressed in Ubuntu 16.04 LTS. (CVE-2024-20926)

It was discovered that OpenJDK 8 could produce debug logs that contained  
private keys used for digital signatures. An attacker could possibly use  
this issue to obtain sensitive information. This issue was only addressed  
in Ubuntu 16.04 LTS. (CVE-2024-20945)

Hubert Kario discovered that the TLS implementation in OpenJDK 8 had a  
timing side-channel and incorrectly handled RSA padding. A remote attacker  
could possibly use this issue to recover sensitive information. This  
issue was only addressed in Ubuntu 16.04 LTS. (CVE-2024-20952)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.10  
  openjdk-8-jdk                   8u432-ga~us1-0ubuntu2~24.10  
  openjdk-8-jdk-headless          8u432-ga~us1-0ubuntu2~24.10  
  openjdk-8-jre                   8u432-ga~us1-0ubuntu2~24.10  
  openjdk-8-jre-headless          8u432-ga~us1-0ubuntu2~24.10  
  openjdk-8-jre-zero              8u432-ga~us1-0ubuntu2~24.10

Ubuntu 24.04 LTS  
  openjdk-8-jdk                   8u432-ga~us1-0ubuntu2~24.04  
  openjdk-8-jdk-headless          8u432-ga~us1-0ubuntu2~24.04  
  openjdk-8-jre                   8u432-ga~us1-0ubuntu2~24.04  
  openjdk-8-jre-headless          8u432-ga~us1-0ubuntu2~24.04  
  openjdk-8-jre-zero              8u432-ga~us1-0ubuntu2~24.04

Ubuntu 22.04 LTS  
  openjdk-8-jdk                   8u432-ga~us1-0ubuntu2~22.04  
  openjdk-8-jdk-headless          8u432-ga~us1-0ubuntu2~22.04  
  openjdk-8-jre                   8u432-ga~us1-0ubuntu2~22.04  
  openjdk-8-jre-headless          8u432-ga~us1-0ubuntu2~22.04  
  openjdk-8-jre-zero              8u432-ga~us1-0ubuntu2~22.04

Ubuntu 20.04 LTS  
  openjdk-8-jdk                   8u432-ga~us1-0ubuntu2~20.04  
  openjdk-8-jdk-headless          8u432-ga~us1-0ubuntu2~20.04  
  openjdk-8-jre                   8u432-ga~us1-0ubuntu2~20.04  
  openjdk-8-jre-headless          8u432-ga~us1-0ubuntu2~20.04  
  openjdk-8-jre-zero              8u432-ga~us1-0ubuntu2~20.04

Ubuntu 18.04 LTS  
  openjdk-8-jdk                   8u432-ga~us1-0ubuntu2~18.04  
                                  Available with Ubuntu Pro  
  openjdk-8-jdk-headless          8u432-ga~us1-0ubuntu2~18.04  
                                  Available with Ubuntu Pro  
  openjdk-8-jre                   8u432-ga~us1-0ubuntu2~18.04  
                                  Available with Ubuntu Pro  
  openjdk-8-jre-headless          8u432-ga~us1-0ubuntu2~18.04  
                                  Available with Ubuntu Pro  
  openjdk-8-jre-zero              8u432-ga~us1-0ubuntu2~18.04  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  openjdk-8-jdk                   8u432-ga~us1-0ubuntu2~16.04.4  
                                  Available with Ubuntu Pro  
  openjdk-8-jdk-headless          8u432-ga~us1-0ubuntu2~16.04.4  
                                  Available with Ubuntu Pro  
  openjdk-8-jre                   8u432-ga~us1-0ubuntu2~16.04.4  
                                  Available with Ubuntu Pro  
  openjdk-8-jre-headless          8u432-ga~us1-0ubuntu2~16.04.4  
                                  Available with Ubuntu Pro  
  openjdk-8-jre-jamvm             8u432-ga~us1-0ubuntu2~16.04.4  
                                  Available with Ubuntu Pro  
  openjdk-8-jre-zero              8u432-ga~us1-0ubuntu2~16.04.4  
                                  Available with Ubuntu Pro

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart Java  
applications to make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7096-1  
  CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926,  
  CVE-2024-20945, CVE-2024-20952, CVE-2024-21011, CVE-2024-21068,  
  CVE-2024-21085, CVE-2024-21094, CVE-2024-21131, CVE-2024-21138,  
  CVE-2024-21140, CVE-2024-21144, CVE-2024-21145, CVE-2024-21147,  
  CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235

Package Information:  
https://launchpad.net/ubuntu/+source/openjdk-8/8u432-ga~us1-0ubuntu2~24.10  
https://launchpad.net/ubuntu/+source/openjdk-8/8u432-ga~us1-0ubuntu2~24.04  
https://launchpad.net/ubuntu/+source/openjdk-8/8u432-ga~us1-0ubuntu2~22.04  
https://launchpad.net/ubuntu/+source/openjdk-8/8u432-ga~us1-0ubuntu2~20.04

Ubuntu Security Notice USN-7096-1

Ubuntu Security Notice 7094-1 - It was discovered that QEMU incorrectly handled memory during certain VNC operations. A remote attacker could possibly use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. It was discovered that QEMU incorrectly handled certain memory copy operations when loading ROM contents. If a user were tricked into running an untrusted kernel image, a remote attacker could possibly use this issue to run arbitrary code. This issue only affected Ubuntu 14.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-7094-1  
November 08, 2024

qemu vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10  
- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:  
- qemu: Machine emulator and virtualizer

Details:

It was discovered that QEMU incorrectly handled memory during certain VNC  
operations. A remote attacker could possibly use this issue to cause QEMU  
to consume resources, resulting in a denial of service. This issue only  
affected Ubuntu 14.04 LTS. (CVE-2019-20382)

It was discovered that QEMU incorrectly handled certain memory copy  
operations when loading ROM contents. If a user were tricked into running  
an untrusted kernel image, a remote attacker could possibly use this issue  
to run arbitrary code. This issue only affected Ubuntu 14.04 LTS.  
(CVE-2020-13765)

Aviv Sasson discovered that QEMU incorrectly handled Slirp networking. A  
remote attacker could use this issue to cause QEMU to crash, resulting in a  
denial of service, or possibly execute arbitrary code. This issue only  
affected Ubuntu 14.04 LTS. (CVE-2020-1983)

It was discovered that the SLiRP networking implementation of the QEMU  
emulator did not properly manage memory under certain circumstances. An  
attacker could use this to cause a heap-based buffer overflow or other out-  
of-bounds access, which can lead to a denial of service (application crash)  
or potential execute arbitrary code. This issue only affected  
Ubuntu 14.04 LTS. (CVE-2020-7039)

It was discovered that the SLiRP networking implementation of the QEMU  
emulator misuses snprintf return values. An attacker could use this to  
cause a denial of service (application crash) or potentially execute  
arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-8608)

It was discovered that QEMU SLiRP networking incorrectly handled certain  
udp packets. An attacker inside a guest could possibly use this issue to  
leak sensitive information from the host. This issue only affected  
Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-3592, CVE-2021-3594)

It was discovered that QEMU had a DMA reentrancy issue, leading to a  
use-after-free vulnerability. An attacker could possibly use this issue  
to cause a denial of service. This issue only affected Ubuntu 18.04 LTS,  
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-3019)

It was discovered that QEMU had a flaw in Virtio PCI Bindings, leading  
to a triggerable crash via vhost_net_stop. An attacker inside a guest  
could possibly use this issue to cause a denial of service. This issue  
only affected Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-4693)

It was discovered that QEMU incorrectly handled memory in virtio-sound,  
leading to a heap-based buffer overflow. An attacker could possibly use  
this issue to cause a denial of service or execute arbitrary code. This  
issue only affected Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-7730)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.10  
  qemu-system                     1:9.0.2+ds-4ubuntu5.1  
  qemu-system-arm                 1:9.0.2+ds-4ubuntu5.1  
  qemu-system-mips                1:9.0.2+ds-4ubuntu5.1  
  qemu-system-misc                1:9.0.2+ds-4ubuntu5.1  
  qemu-system-ppc                 1:9.0.2+ds-4ubuntu5.1  
  qemu-system-s390x               1:9.0.2+ds-4ubuntu5.1  
  qemu-system-sparc               1:9.0.2+ds-4ubuntu5.1  
  qemu-system-x86                 1:9.0.2+ds-4ubuntu5.1  
  qemu-system-x86-xen             1:9.0.2+ds-4ubuntu5.1  
  qemu-system-xen                 1:9.0.2+ds-4ubuntu5.1

Ubuntu 24.04 LTS  
  qemu-system                     1:8.2.2+ds-0ubuntu1.4  
  qemu-system-arm                 1:8.2.2+ds-0ubuntu1.4  
  qemu-system-mips                1:8.2.2+ds-0ubuntu1.4  
  qemu-system-misc                1:8.2.2+ds-0ubuntu1.4  
  qemu-system-ppc                 1:8.2.2+ds-0ubuntu1.4  
  qemu-system-s390x               1:8.2.2+ds-0ubuntu1.4  
  qemu-system-sparc               1:8.2.2+ds-0ubuntu1.4  
  qemu-system-x86                 1:8.2.2+ds-0ubuntu1.4  
  qemu-system-x86-xen             1:8.2.2+ds-0ubuntu1.4  
  qemu-system-xen                 1:8.2.2+ds-0ubuntu1.4

Ubuntu 22.04 LTS  
  qemu                            1:6.2+dfsg-2ubuntu6.24  
  qemu-system                     1:6.2+dfsg-2ubuntu6.24  
  qemu-system-arm                 1:6.2+dfsg-2ubuntu6.24  
  qemu-system-mips                1:6.2+dfsg-2ubuntu6.24  
  qemu-system-misc                1:6.2+dfsg-2ubuntu6.24  
  qemu-system-ppc                 1:6.2+dfsg-2ubuntu6.24  
  qemu-system-s390x               1:6.2+dfsg-2ubuntu6.24  
  qemu-system-sparc               1:6.2+dfsg-2ubuntu6.24  
  qemu-system-x86                 1:6.2+dfsg-2ubuntu6.24  
  qemu-system-x86-microvm         1:6.2+dfsg-2ubuntu6.24  
  qemu-system-x86-xen             1:6.2+dfsg-2ubuntu6.24

Ubuntu 20.04 LTS  
  qemu                            1:4.2-3ubuntu6.30  
  qemu-system                     1:4.2-3ubuntu6.30  
  qemu-system-arm                 1:4.2-3ubuntu6.30  
  qemu-system-mips                1:4.2-3ubuntu6.30  
  qemu-system-misc                1:4.2-3ubuntu6.30  
  qemu-system-ppc                 1:4.2-3ubuntu6.30  
  qemu-system-s390x               1:4.2-3ubuntu6.30  
  qemu-system-sparc               1:4.2-3ubuntu6.30  
  qemu-system-x86                 1:4.2-3ubuntu6.30  
  qemu-system-x86-microvm         1:4.2-3ubuntu6.30  
  qemu-system-x86-xen             1:4.2-3ubuntu6.30

Ubuntu 18.04 LTS  
  qemu                            1:2.11+dfsg-1ubuntu7.42+esm2  
                                  Available with Ubuntu Pro  
  qemu-system                     1:2.11+dfsg-1ubuntu7.42+esm2  
                                  Available with Ubuntu Pro  
  qemu-system-arm                 1:2.11+dfsg-1ubuntu7.42+esm2  
                                  Available with Ubuntu Pro  
  qemu-system-mips                1:2.11+dfsg-1ubuntu7.42+esm2  
                                  Available with Ubuntu Pro  
  qemu-system-misc                1:2.11+dfsg-1ubuntu7.42+esm2  
                                  Available with Ubuntu Pro  
  qemu-system-ppc                 1:2.11+dfsg-1ubuntu7.42+esm2  
                                  Available with Ubuntu Pro  
  qemu-system-s390x               1:2.11+dfsg-1ubuntu7.42+esm2  
                                  Available with Ubuntu Pro  
  qemu-system-sparc               1:2.11+dfsg-1ubuntu7.42+esm2  
                                  Available with Ubuntu Pro  
  qemu-system-x86                 1:2.11+dfsg-1ubuntu7.42+esm2  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  qemu                            1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro  
  qemu-system                     1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro  
  qemu-system-aarch64             1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro  
  qemu-system-arm                 1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro  
  qemu-system-common              1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro  
  qemu-system-mips                1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro  
  qemu-system-misc                1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro  
  qemu-system-ppc                 1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro  
  qemu-system-s390x               1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro  
  qemu-system-sparc               1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro  
  qemu-system-x86                 1:2.5+dfsg-5ubuntu10.51+esm3  
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS  
  qemu                            2.0.0+dfsg-2ubuntu1.47+esm4  
                                  Available with Ubuntu Pro  
  qemu-system                     2.0.0+dfsg-2ubuntu1.47+esm4  
                                  Available with Ubuntu Pro  
  qemu-system-aarch64             2.0.0+dfsg-2ubuntu1.47+esm4  
                                  Available with Ubuntu Pro  
  qemu-system-arm                 2.0.0+dfsg-2ubuntu1.47+esm4  
                                  Available with Ubuntu Pro  
  qemu-system-common              2.0.0+dfsg-2ubuntu1.47+esm4  
                                  Available with Ubuntu Pro  
  qemu-system-mips                2.0.0+dfsg-2ubuntu1.47+esm4  
                                  Available with Ubuntu Pro  
  qemu-system-misc                2.0.0+dfsg-2ubuntu1.47+esm4  
                                  Available with Ubuntu Pro  
  qemu-system-ppc                 2.0.0+dfsg-2ubuntu1.47+esm4  
                                  Available with Ubuntu Pro  
  qemu-system-sparc               2.0.0+dfsg-2ubuntu1.47+esm4  
                                  Available with Ubuntu Pro  
  qemu-system-x86                 2.0.0+dfsg-2ubuntu1.47+esm4  
                                  Available with Ubuntu Pro

After a standard system update you need to restart all QEMU virtual  
machines to make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7094-1  
  CVE-2019-20382, CVE-2020-13765, CVE-2020-1983, CVE-2020-7039,  
  CVE-2020-8608, CVE-2021-3592, CVE-2021-3594, CVE-2023-3019,  
  CVE-2024-4693, CVE-2024-7730,   
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/2084210

Package Information:  
  https://launchpad.net/ubuntu/+source/qemu/1:9.0.2+ds-4ubuntu5.1  
  https://launchpad.net/ubuntu/+source/qemu/1:8.2.2+ds-0ubuntu1.4  
  https://launchpad.net/ubuntu/+source/qemu/1:6.2+dfsg-2ubuntu6.24  
  https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.30

Ubuntu Security Notice USN-7094-1

Debian Linux Security Advisory 5807-1 - Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5807-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 10, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : nssCVE ID         : CVE-2024-0743 CVE-2024-6602 CVE-2024-6609Several vulnerabilities were discovered in NSS, a set of cryptographiclibraries, which may result in denial of service or potentially theexecution of arbitary code.For the stable distribution (bookworm), these problems have been fixed inversion 2:3.87.1-1+deb12u1.We recommend that you upgrade your nss packages.For the detailed security status of nss please refer toits security tracker page at:https://security-tracker.debian.org/tracker/nssFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcxArIACgkQEMKTtsN8TjZ1rBAAqef9LTGZnLYnvNEeRHVOrazORvlEBe7AIpFcBIC1nSRBQ1ZAPENNMUFihkzJHkwS8hTy/VasgxnZTu2MTXhCQllQjISZk4bI+6EvMa+3p9930E9qgaIjPFPqTgYmnhFTq0bqzyDLlQpY6UJQDy0I47oRrHs8qVwEMsAtl6Wg/VkjLdQi68hPk7lpn7R1EihvKsYwKOv6cIU+wZiRk6LzbEdVCzG73FMQhjLh0bGq/R3EFpSL8Hb05j+xR3wWkrW+Gkw20rha5XG7tPqyl/QLLfpc3TO9UG3APUtC5LjBhKIEcUSst/9LkMRRfK5TyjQQQ4TF1K9HbcEkPTk7kAH6SOgOF8gAqftFvorQEAXv4PxrC7qwNYDdlwus2gZvGTif/H1SIfdQe6hZcZ7XWWP5oO1EK4IL4dXeFkbNvvbZu6HfXYKC9r5zzP0lPH5+Zh/LBnUyRibPnF+dCy+SaHHfGOY0Twl266DT2fq4VCUGD4eSI7uAkMniWBcJPdqcfSvOHaGSWkKiJzD7QIZ/51/wLC+6u3goQQc07dAdMhS0tOJAF5UDA33A3tVfpKwNffxW8d5XfyFnZm1D21K29vG1Jtfzk8io19u7UTRLVRRAu3OslvQSuvsoLZSQy6AwwqOUzB7niyXhZpHOqhHvBZa4C2ECB06b21YNc00xxnwiDl4==tVvV-----END PGP SIGNATURE-----

Debian Security Advisory 5807-1

WS02 versions 4.0.0, 4.1.0, and 4.2.0 are susceptible to remote code execution via an arbitrary file upload vulnerability.

WSO2 4.0.0 / 4.1.0 / 4.2.0 Shell Upload

Red Hat Security Advisory 2024-8974-03 - Red Hat Advanced Cluster Management for Kubernetes 2.12.0 GA release images are now available, which contain security and bug fixes.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8974.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Advanced Cluster Management 2.12.0 security and bug fixes  
Advisory ID:        RHSA-2024:8974-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8974  
Issue date:         2024-11-11  
Revision:           03  
CVE Names:          CVE-2023-37788  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.12.0 GA release images are now available, which contain security and bug fixes.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.12.0 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/release_notes/

Security fix(es):

CVE-2024-48949 Missing Validation in Elliptic's EDDSA Signature Verification

Jira issues fixed: 

- ACM-11757: Managed clusters flip between Available and Degraded  
- ACM-12215: Provisioning OpenShift on OpenStack fails. The bootstrap node is failing to get the ignition image from Glance. Failing with tls: failed to verify certificate: x509: certificate signed by unknown authority.  
- ACM-12372: multicluster-observability-operator pod restarts with fatal error concurrent map writes  
- ACM-12738: Endpointmetrics does not reconcile CMO Config changes  
- ACM-13066: upgrade from a 2.10 that failed to update MCE to a 2.11 was possible  
- ACM-13149: cluster-monitoring-config retains old Hub for metrics forwarding after transfer to new Hub  
- ACM-14172: Observability pods should not inherit the defaultNodeSelector from the scheduler

Solution:

https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/install/installing

CVEs:

CVE-2023-37788

References:

https://access.redhat.com/security/updates/classification/#important  
https://issues.redhat.com/browse/ACM-11757  
https://issues.redhat.com/browse/ACM-12215  
https://issues.redhat.com/browse/ACM-12372  
https://issues.redhat.com/browse/ACM-12738  
https://issues.redhat.com/browse/ACM-13066  
https://issues.redhat.com/browse/ACM-13149  
https://issues.redhat.com/browse/ACM-14172

Red Hat Security Advisory 2024-8974-03

Red Hat Security Advisory 2024-8697-03 - Red Hat OpenShift Container Platform release 4.14.40 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8697.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.40 bug fix and security update  
Advisory ID:        RHSA-2024:8697-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8697  
Issue date:         2024-11-11  
Revision:           03  
CVE Names:          CVE-2023-29401  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.40 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.40. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8700

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize  
filename parameter of Context.FileAttachment function (CVE-2023-29401)  
* net/http: Denial of service due to improper 100-continue handling in  
net/http (CVE-2024-24791)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-29401

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2216957  
https://bugzilla.redhat.com/show_bug.cgi?id=2295310  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://issues.redhat.com/browse/OCPBUGS-10337  
https://issues.redhat.com/browse/OCPBUGS-39086  
https://issues.redhat.com/browse/OCPBUGS-42935  
https://issues.redhat.com/browse/OCPBUGS-42952  
https://issues.redhat.com/browse/OCPBUGS-43058  
https://issues.redhat.com/browse/OCPBUGS-43368  
https://issues.redhat.com/browse/OCPBUGS-43484  
https://issues.redhat.com/browse/OCPBUGS-43505  
https://issues.redhat.com/browse/OCPBUGS-43628  
https://issues.redhat.com/browse/OCPBUGS-43688  
https://issues.redhat.com/browse/OCPBUGS-43821  
https://issues.redhat.com/browse/OCPBUGS-43916

Red Hat Security Advisory 2024-8697-03

Red Hat Security Advisory 2024-8692-03 - Red Hat OpenShift Container Platform release 4.12.68 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8692.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.12.68 security update  
Advisory ID:        RHSA-2024:8692-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8692  
Issue date:         2024-11-11  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.68 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.68. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8694

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* net/http: Denial of service due to improper 100-continue handling in  
net/http (CVE-2024-24791)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2295310  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://issues.redhat.com/browse/OCPBUGS-25783  
https://issues.redhat.com/browse/OCPBUGS-33519  
https://issues.redhat.com/browse/OCPBUGS-37322  
https://issues.redhat.com/browse/OCPBUGS-38382  
https://issues.redhat.com/browse/OCPBUGS-41248  
https://issues.redhat.com/browse/OCPBUGS-43872

Red Hat Security Advisory 2024-8692-03

Red Hat Security Advisory 2024-8688-03 - Red Hat OpenShift Container Platform release 4.13.53 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8688.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.53 bug fix and security update  
Advisory ID:        RHSA-2024:8688-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8688  
Issue date:         2024-11-11  
Revision:           03  
CVE Names:          CVE-2023-26125  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.53 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.53. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8690

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* golang-github-gin-gonic-gin: Improper Input Validation (CVE-2023-26125)  
* net/http: Denial of service due to improper 100-continue handling in  
net/http (CVE-2024-24791)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-26125

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2203769  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2295310  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://issues.redhat.com/browse/OCPBUGS-42673  
https://issues.redhat.com/browse/OCPBUGS-43095  
https://issues.redhat.com/browse/OCPBUGS-43856

Red Hat Security Advisory 2024-8688-03

TEL AVIV, Israel, 11th November 2024, CyberNewsWire

**TEL AVIV, Israel, November 11th, 2024, CyberNewsWire**

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments

Sweet Security today announced the availability of its cloud-native detection and response platform on the Amazon Web Services (AWS) marketplace. Sweet’s solution unifies threat detection across cloud infrastructure, network, workloads, and applications. It provides deep runtime context that enables security teams to quickly extract actual attack narratives from a sea of isolated incidents. Using Sweet, AWS Marketplace customers can detect active threats in real time and respond to them within minutes, enabling them to resolve threats with unprecedented speed – 2-5 minute MTTR – and maintain an agile and resilient environment.

AWS customers visiting AWS re:Invent 2024 in Las Vegas can book a meeting to learn more here.

> “Cloud environments are noisy and complex, making them fertile grounds for attackers — deterring them requires detection and response capabilities that, to date, have been aspirational, but we’ve made them table stakes,” said Eyal Fisher, Co-Founder and Chief Product Officer of Sweet Security and former head of the Cyber Operation Center, Unit 8200 (Col., retired). “We’re delighted that our solution is now available to AWS Marketplace customers and look forward to helping them simplify the burden of cloud security and do their jobs faster and better.” 

**What Makes Sweet so Sweet?**

Sweet Security offers detection and response for cloud native environments. Its approach is unique in how it unifies detection across cloud infrastructure, network, workloads, and applications, providing deep runtime context that cuts through the noise and delivers actual attack narratives.

Key Features include:

●     Advanced threat detection and incident response (IR) across infrastructure, network, application, and workload levels.

●     Vulnerability management enriched with runtime insights, reducing CVEs by 99% and putting only the critical risks in front of security personnel.

●     Lean sensor technology that requires minimal resources (50 MB RAM, 0.20% CPU per node) and take only minutes to deploy

●     30+ out-of-the-box integrations with SIEM, SOAR, notification and ticketing systems, and mor

Sweet empowers security teams to achieve a Mean Time to Detect of 30 seconds (MTTD) and a 2-5 minute Mean Time to Resolve (MTTR), transforming cloud security into a more proactive and effective discipline.

For more information, users can visit Sweet Security on the AWS Marketplace.

**About Sweet Security**

Specializing in Cloud Native Detection & Response (D&R), Sweet Security protects cloud environments in real time. Founded by the IDF’s former CISO, Sweet’s solution focuses on the relationships between cloud infrastructure, workloads and applications , as well as network, and identity components. Leveraging a lean, eBPF-based sensor and deep behavioral analysis, Sweet analyzes anomalies, generating vital insights on incidents, vulnerabilities, and non-human identities. Its GenAI-infused technology cuts through the noise and delivers actionable recommendations on critical, real-time cloud risks. Privately funded, Sweet is backed by Evolution Equity Partners, Munich Re Ventures, Glilot Capital Partners, CyberArk Ventures and an elite group of angel investors. For more information, please visit http://sweet.security.

**Contact**

**Account Director**  
**Chloe Amante**  
**Montner Tech PR**  
**\[email protected\]**

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

Latest News